Kjell Tore Guttormsen
ce3891bdd0
Single-file SPA playground har nå parser + renderer for alle 18 produces_report=true-kommandoer (Fase 2: 10 høy-prio + Fase 3: 8 gjenstående: mcp-inspect, supply-check, pre-deploy, diff, watch, registry, clean, threat-model). 18 markdown test-fixtures fungerer som kontrakt-anker for parser-utvikling. Komplett demo-prosjekt `dft-komplett-demo` har alle 18 rapporter ferdig parsed inline — klikk-gjennom uten "parser ikke implementert"- paneler. 2 nye archetypes i KEY_STATS_CONFIG: kanban-buckets (clean) og matrix-risk (threat-model). Bug-fix: normalizeVerdictText sjekker nå GO-WITH-CONDITIONS / CONDITIONAL / BETINGET FØR plain GO så betinget verdict (pre-deploy med åpne vilkår) ikke kollapser til ALLOW. Eksponert 11 window-globaler for testing/automasjon (__store, __navigate, __loadDemoState, __PARSERS, __RENDERERS, __CATALOG, __inferVerdict, __inferKeyStats, __renderPageShell, __handlePasteImport, __scheduleRender). 12 Playwright-genererte screenshots i playground/screenshots/v7.5.0/. A11Y-rapport (WCAG 2.1 AA): 0 blokkerende, 3 mindre forbedringer flagget for v7.5.x patch (skip-link, heading-hierarki på project, aria-live toast). Versjonsbump 7.4.0 -> 7.5.0 i 10 filer (package.json, plugin.json, CLAUDE.md header, README badge, CHANGELOG-entry, 3 scanner VERSION- konstanter, ROADMAP, marketplace-rot README). Ingen scanner- eller hook-behavior-changes — purely additive surface. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
100 lines
3.5 KiB
Markdown
100 lines
3.5 KiB
Markdown
# Supply-Chain Recheck Report
|
|
|
|
---
|
|
|
|
## Header
|
|
|
|
| Field | Value |
|
|
|-------|-------|
|
|
| **Report type** | supply-check |
|
|
| **Target** | ~/repos/dft-marketplace |
|
|
| **Date** | 2026-05-05 |
|
|
| **Version** | llm-security v7.4.0 |
|
|
| **Scope** | npm + pip + cargo lockfiles |
|
|
| **Frameworks** | OWASP LLM03, NIST SSDF |
|
|
| **Triggered by** | /security supply-check |
|
|
|
|
---
|
|
|
|
## Risk Dashboard
|
|
|
|
| Metric | Value |
|
|
|--------|-------|
|
|
| **Risk Score** | 22/100 |
|
|
| **Risk Band** | Medium |
|
|
| **Grade** | B |
|
|
| **Verdict** | WARNING |
|
|
|
|
| Severity | Count |
|
|
|----------|------:|
|
|
| Critical | 0 |
|
|
| High | 1 |
|
|
| Medium | 4 |
|
|
| Low | 2 |
|
|
| Info | 6 |
|
|
| **Total** | **13** |
|
|
|
|
**Verdict rationale:** 1 HIGH OSV.dev advisory on `lefthook@1.4.2` (CVE-2024-1234, denial-of-service via crafted hook config). 4 MEDIUM typosquat candidates flagged for manual review.
|
|
|
|
---
|
|
|
|
## Ecosystem Coverage
|
|
|
|
| Ecosystem | Lockfile | Packages | OSV.dev Hits | Typosquats |
|
|
|-----------|----------|---------:|-------------:|-----------:|
|
|
| npm | package-lock.json | 412 | 1 | 2 |
|
|
| pip | requirements.txt | 38 | 0 | 1 |
|
|
| cargo | Cargo.lock | 71 | 0 | 0 |
|
|
| go | go.sum | 0 | 0 | 0 |
|
|
| docker | (none) | 0 | 0 | 0 |
|
|
| **Total** | | **521** | **1** | **3** |
|
|
|
|
---
|
|
|
|
## Findings
|
|
|
|
### High
|
|
|
|
| ID | Category | File | Line | Description | OWASP |
|
|
|----|----------|------|------|-------------|-------|
|
|
| SCR-001 | OSV.dev CVE | package-lock.json | 8421 | lefthook@1.4.2 → CVE-2024-1234 (DoS via crafted hook config) | LLM03 |
|
|
|
|
### Medium
|
|
|
|
| ID | Category | File | Line | Description | OWASP |
|
|
|----|----------|------|------|-------------|-------|
|
|
| SCR-002 | Typosquat | package-lock.json | 1247 | `expresss` (3 s's) Levenshtein 1 vs `express` | LLM03 |
|
|
| SCR-003 | Typosquat | package-lock.json | 2891 | `lodahs` Levenshtein 2 vs `lodash` | LLM03 |
|
|
| SCR-004 | Typosquat | requirements.txt | 22 | `requests-mock` legitimate, `request-mock` (no s) Levenshtein 1 — manual review | LLM03 |
|
|
| SCR-005 | Recent | package-lock.json | 5103 | `colorette@3.1.0` published 71 hours ago (<72h gate) | LLM03 |
|
|
|
|
### Low
|
|
|
|
| ID | Category | File | Line | Description | OWASP |
|
|
|----|----------|------|------|-------------|-------|
|
|
| SCR-006 | Maintenance | package-lock.json | — | 18 packages with last-published > 730 days | — |
|
|
| SCR-007 | License | requirements.txt | 12 | `chardet==3.0.4` LGPL-2.1 — verify compatibility | — |
|
|
|
|
### Info
|
|
|
|
| ID | Category | File | Line | Description | OWASP |
|
|
|----|----------|------|------|-------------|-------|
|
|
| SCR-008 | Provenance | package-lock.json | — | 412/412 packages have npm-registry provenance | — |
|
|
| SCR-009 | Provenance | Cargo.lock | — | All 71 crates from crates.io | — |
|
|
| SCR-010 | Coverage | go.sum | — | No Go dependencies detected | — |
|
|
| SCR-011 | Coverage | (docker) | — | No Dockerfile detected | — |
|
|
| SCR-012 | Cache | OSV.dev | — | 521 packages queried, 510 cached, 11 fresh lookups | — |
|
|
| SCR-013 | Cache | TTL | — | OSV cache TTL: 6 hours, hit-rate 97.9% | — |
|
|
|
|
---
|
|
|
|
## Recommendations
|
|
|
|
1. **Immediate:** Bump `lefthook` to ≥1.5.0 to clear CVE-2024-1234. Run `npm install lefthook@latest`.
|
|
2. **High:** Verify `expresss` and `lodahs` are not legitimate packages. Both look like typosquat-bait.
|
|
3. **Medium:** Wait 24h before pinning `colorette@3.1.0` (currently <72h since publish — supply-chain attack window).
|
|
4. **Low:** Audit LGPL-2.1 dependency `chardet==3.0.4` for license-compatibility with project license.
|
|
|
|
---
|
|
|
|
*Supply-chain recheck complete. 521 packages across 3 ecosystems, 13 findings.*
|